Forum Discussion

Josh_40017's avatar
Josh_40017
Icon for Nimbostratus rankNimbostratus
Jan 20, 2015

F5 ASM policy modification

Hello,

 

I created an ASM policy (it is in blocking mode) and it is working without much issue. However, the developers updated the site/webpage and applied certain patches and now the policy doesn't work properly. Is it the norm to put the policy in transparent mode after an update to webpage and accept (from manual policy learning) and add the new url,parameter etc to the policy? Or is there a different way to do this. I am little concerned we might be exposing the site while the policy is in transparent mode.

 

Thank you --Joshy

 

4 Replies

  • probably too late now, but if you can have a test environment with a test ASM policy, in which the developers deploy a new version first and there you can more safely make changes is nice.

     

  • Hello Joshy, your scenario is exactly why the Real Traffic Policy Builder method was invented for initial policy creation, as Arnaud said. If you are concerned about the vulnerability of transparent mode, you can leave the current policy in blocking mode, but also ensure that whatever entities are triggering violations are in staging mode (especially attack signatures), and also ensure that you have a wildcard in place for file types, parameters, and URLs. For many manual policies, it is not unusual for admins to interpret numerous violations. It's a balance of how easy you want your management work to be versus how comprehensive you want the security policy to be. Hopefully you will not have too many new entities to deal with. The goal is not to block valid requests. How many new violations do you have?

     

  • Unfortunately we do not have a test environment yet and we are looking to update our procedures on updating websites.

     

    I think I am going to look into the track site change option Arnaud mentioned. Thank you all again for the assistance.

     

    Thank you, --Joshy